AAP-58797: Operator - Implement Chatbot authentication

romartin · romartin · commit 592624015bbe · 2025-12-24T01:48:00.000+01:00
Signed-off-by: romartin &lt;roger600@gmail.com&gt;
diff --git a/molecule/default/tasks/1_1_create_instance.yml b/molecule/default/tasks/1_1_create_instance.yml
@@ -8,7 +8,7 @@
     definition: "{{ lookup('template', template_item) | from_yaml }}"
     apply: true
     wait: yes
-    wait_timeout: 900
+    wait_timeout: 1200
     wait_condition:
       type: Running
       reason: Successful
diff --git a/roles/chatbot/defaults/main.yml b/roles/chatbot/defaults/main.yml
@@ -42,6 +42,11 @@ _chatbot_mcp_lightspeed_image_version: "{{ lookup('env', 'DEFAULT_CHATBOT_MCP_LI
 chatbot_config_secret_name: ''
 # ========================================
 
+# ----------------------------------------
+# Configuration for the Chatbot API Key
+# ----------------------------------------
+chatbot_api_key_secret_name: 'chatbot-api-key'
+# ========================================
 
 # ----------------------------------------
 # Configuration for underlying service
diff --git a/roles/chatbot/tasks/handle_chatbot_api_key_secret.yml b/roles/chatbot/tasks/handle_chatbot_api_key_secret.yml
@@ -0,0 +1,16 @@
+---
+- name: Set the composed Chatbot API Key Secret name.
+  set_fact:
+    _chatbot_api_key_secret_name: "{{ ansible_operator_meta.name }}-{{ chatbot_api_key_secret_name }}"
+
+- name: Check for existing Chatbot API Key Secret
+  set_fact:
+    _chatbot_api_key_secret: "{{ query('kubernetes.core.k8s', kind='Secret', namespace=ansible_operator_meta.namespace, resource_name=_chatbot_api_key_secret_name) }}"
+
+- name: Create Chatbot API Key Secret
+  kubernetes.core.k8s:
+    state: present
+    definition: "{{ lookup('template', 'secrets/chatbot_api_key_secret.yaml.j2') }}"
+  no_log: "{{ no_log }}"
+  when:
+    - _chatbot_api_key_secret | length == 0
diff --git a/roles/chatbot/tasks/main.yml b/roles/chatbot/tasks/main.yml
@@ -14,6 +14,9 @@
   - name: Read AnsibleAIConnect's Chatbot secret
     ansible.builtin.include_tasks: read_chatbot_configuration_secret.yml
 
+  - name: Read AnsibleAIConnect's Chatbot API Key
+    ansible.builtin.include_tasks: handle_chatbot_api_key_secret.yml
+
   - name: Clean up old Chatbot PVC before upgrade
     ansible.builtin.include_tasks: upgrade_chatbot.yml
 
diff --git a/roles/chatbot/tasks/remove_chatbot_api.yml b/roles/chatbot/tasks/remove_chatbot_api.yml
@@ -23,6 +23,14 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     wait: yes
 
+- name: Remove Chatbot API Key Secret resource
+  kubernetes.core.k8s:
+    state: absent
+    kind: Secret
+    name: '{{ ansible_operator_meta.name }}-{{ chatbot_api_key_secret_name }}'
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    wait: yes
+
 - name: Remove Chatbot Service resources
   kubernetes.core.k8s:
     state: absent
diff --git a/roles/chatbot/templates/chatbot.configmap_lightspeed_stack_config.yaml.j2 b/roles/chatbot/templates/chatbot.configmap_lightspeed_stack_config.yaml.j2
@@ -31,6 +31,10 @@ data:
       transcripts_enabled: false
     customization:
       system_prompt_path: /.llama/distributions/ansible-chatbot/system-prompts/default.txt
+    authentication:
+      module: "api-key-token"
+      api_key_config:
+        api_key: ${env.CHATBOT_API_KEY}
 {% if _aap_gateway_url is defined or _aap_controller_url is defined %}
     mcp_servers:
 {% if _aap_gateway_url is defined and _aap_controller_url is defined %}
diff --git a/roles/chatbot/templates/chatbot.deployment.yaml.j2 b/roles/chatbot/templates/chatbot.deployment.yaml.j2
@@ -106,6 +106,11 @@ spec:
             value: /.llama/data
           - name: EMBEDDING_MODEL
             value: ./embeddings_model
+          - name: CHATBOT_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ ansible_operator_meta.name }}-{{ chatbot_api_key_secret_name }}"
+                key: api_key
           - name: PROVIDER_TOKEN
             value: {{ chatbot_token }}
           - name: PROVIDER_URL
diff --git a/roles/chatbot/templates/secrets/chatbot_api_key_secret.yaml.j2 b/roles/chatbot/templates/secrets/chatbot_api_key_secret.yaml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ ansible_operator_meta.name }}-{{ chatbot_api_key_secret_name }}'
+  namespace: '{{ ansible_operator_meta.namespace }}'
+  labels:
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
+stringData:
+  api_key: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'
diff --git a/roles/model/defaults/main.yml b/roles/model/defaults/main.yml
@@ -49,6 +49,11 @@ auth_config_secret_name: ''
 model_config_secret_name: ''
 # ========================================
 
+# ----------------------------------------
+# Configuration for the Chatbot API Key
+# ----------------------------------------
+chatbot_api_key_secret_name: 'chatbot-api-key'
+# ========================================
 
 # ----------------------------------------
 # Configuration for underlying service
diff --git a/roles/model/templates/model.deployment.yaml.j2 b/roles/model/templates/model.deployment.yaml.j2
@@ -204,6 +204,11 @@ spec:
             secretKeyRef:
               name: "{{ __model_pipeline_secret_name }}"
               key: config
+        - name: CHATBOT_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: "{{ ansible_operator_meta.name }}-{{ chatbot_api_key_secret_name }}"
+              key: api_key
 {% if chatbot_config is defined %}
         - name: CHATBOT_DEFAULT_PROVIDER
           value: {{ chatbot_llm_provider_type }}
